US7869451B2 - Method for operating a local computer network connected to a remote private network by an IPsec tunnel, software module and IPsec gateway - Google Patents

Method for operating a local computer network connected to a remote private network by an IPsec tunnel, software module and IPsec gateway Download PDF

Info

Publication number
US7869451B2
US7869451B2 US11/300,107 US30010705A US7869451B2 US 7869451 B2 US7869451 B2 US 7869451B2 US 30010705 A US30010705 A US 30010705A US 7869451 B2 US7869451 B2 US 7869451B2
Authority
US
United States
Prior art keywords
network
gateway
local
address
router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US11/300,107
Other languages
English (en)
Other versions
US20060171401A1 (en
Inventor
Olivier Charles
Laurent Butti
Franck Veysset
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Monarch Networking Solutions LLC
Original Assignee
France Telecom SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom SA filed Critical France Telecom SA
Assigned to FRANCE TELECOM reassignment FRANCE TELECOM ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BUTTI, LAURENT, CHARLES, OLIVER, VEYSSET, FRANCK
Publication of US20060171401A1 publication Critical patent/US20060171401A1/en
Application granted granted Critical
Publication of US7869451B2 publication Critical patent/US7869451B2/en
Assigned to ORANGE reassignment ORANGE CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: FRANCE TELECOM
Assigned to TRANSPACIFIC IP GROUP LIMITED reassignment TRANSPACIFIC IP GROUP LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ORANGE
Assigned to ACACIA RESEARCH GROUP LLC reassignment ACACIA RESEARCH GROUP LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TRANSPACIFIC IP GROUP LIMITED
Assigned to MONARCH NETWORKING SOLUTIONS LLC reassignment MONARCH NETWORKING SOLUTIONS LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ACACIA RESEARCH GROUP LLC
Assigned to STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT reassignment STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT PATENT SECURITY AGREEMENT Assignors: ACACIA RESEARCH GROUP LLC, AMERICAN VEHICULAR SCIENCES LLC, BONUTTI SKELETAL INNOVATIONS LLC, CELLULAR COMMUNICATIONS EQUIPMENT LLC, INNOVATIVE DISPLAY TECHNOLOGIES LLC, LIFEPORT SCIENCES LLC, LIMESTONE MEMORY SYSTEMS LLC, MERTON ACQUISITION HOLDCO LLC, MOBILE ENHANCEMENT SOLUTIONS LLC, MONARCH NETWORKING SOLUTIONS LLC, NEXUS DISPLAY TECHNOLOGIES LLC, PARTHENON UNIFIED MEMORY ARCHITECTURE LLC, R2 SOLUTIONS LLC, SAINT LAWRENCE COMMUNICATIONS LLC, STINGRAY IP SOLUTIONS LLC, SUPER INTERCONNECT TECHNOLOGIES LLC, TELECONFERENCE SYSTEMS LLC, UNIFICATION TECHNOLOGIES LLC
Assigned to MONARCH NETWORKING SOLUTIONS LLC, R2 SOLUTIONS LLC, BONUTTI SKELETAL INNOVATIONS LLC, CELLULAR COMMUNICATIONS EQUIPMENT LLC, MOBILE ENHANCEMENT SOLUTIONS LLC, STINGRAY IP SOLUTIONS LLC, ACACIA RESEARCH GROUP LLC, SAINT LAWRENCE COMMUNICATIONS LLC, INNOVATIVE DISPLAY TECHNOLOGIES LLC, SUPER INTERCONNECT TECHNOLOGIES LLC, UNIFICATION TECHNOLOGIES LLC, LIMESTONE MEMORY SYSTEMS LLC, TELECONFERENCE SYSTEMS LLC, NEXUS DISPLAY TECHNOLOGIES LLC, AMERICAN VEHICULAR SCIENCES LLC, LIFEPORT SCIENCES LLC, PARTHENON UNIFIED MEMORY ARCHITECTURE LLC reassignment MONARCH NETWORKING SOLUTIONS LLC RELEASE OF SECURITY INTEREST IN PATENTS Assignors: STARBOARD VALUE INTERMEDIATE FUND LP
Assigned to MONARCH NETWORKING SOLUTIONS LLC reassignment MONARCH NETWORKING SOLUTIONS LLC CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED ON REEL 053654 FRAME 0254. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST GRANTED PURSUANT TO THE PATENT SECURITY AGREEMENT PREVIOUSLYRECORDED. Assignors: STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT
Assigned to STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT reassignment STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNOR NAME PREVIOUSLY RECORDED ON REEL 052853 FRAME 0153. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST GRANTED PURSUANT TO THE PATENT SECURITY AGREEMENT PREVIOUSLY RECORDED. Assignors: MONARCH NETWORKING SOLUTIONS LLC
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the invention relates, in general, to the operation of mutually connected networks, in particular computer networks.
  • the invention relates to a method for operating a local network comprising a local terminal connected to a gateway of a remote network by a blocking tunnel, which method includes an operation in which the flows from the terminal are directed to the gateway through the blocking tunnel.
  • a connection between two networks can be an IP connection and can be constituted by the Internet or by any other network using Internet protocols.
  • IPsec Internet Protocol Security
  • This invention in its primary effective application, relates to computers in a nomadic situation when they are connected to a private business network by the IPsec protocol. It is especially applicable when the nomad user telecommutes, i.e. when he or she is connected from the home network (the local network of his or her home) to the remote private network of the business. The method is nevertheless applicable to other types of local networks, such as wireless connection zones referred to as “wi-fi hotspots”, for example.
  • terminal or “local terminal” to refer to the computer from which the nomad user connects to the local network, then to the remote private network of the business.
  • the term “local equipment” refers to any computer equipment connected to the local network and which must be provided with access to the terminal during its IPsec connections.
  • This local equipment can thus consist, in a statistically representative manner, of a printer, but can also consist of any other type of server of the local network (ftp, telnet, etc.) to which the terminal must have access during its IPsec connections.
  • router refers to equipment located at the input of the local network (or home network when discussing a nomad user, such as a telecommuter), the functions of which will be described in greater detail below.
  • gateway refers to equipment located between the terminal and the remote private network of the business, which is in particular responsible for terminating the tunnels, in particular IPsec tunnels, coming from the terminals, of which the functions will be described in greater detail below. It can be located at the edge of the remote network and managed by the business or by a telecommunications network operator.
  • IPsec protocol does not enable the local terminal to simultaneously access the local network and the remote network of the business. Without this prohibition, the terminal would be in a “double connection” situation and would interconnect the two networks, constituting a serious security flaw.
  • blocking mode a specific mode that is provided in particular in the IPsec protocol.
  • the blocking mode is therefore a technique that enables the double connection of a local terminal to the remote network accessible with IPsec (typically the private network of the business) and the local network (typically the home network). To do this, the blocking mode prevents any communication of the local terminal outside of the IPsec tunnel, which significantly limits the risks of bounce attacks in the IPsec tunnel (and therefore to the information system of the business).
  • IPsec typically the private network of the business
  • the local network typically the home network
  • the security policies of businesses that can be accessed remotely with IPsec generally activate it by default.
  • the blocking mode is implemented in the IPsec software of the terminal, and generally modifies the client routing configuration so as to send all packets to a default route that belongs to the addressing plan of the remote network of the business. It also uses an access filtering function (typically a personal firewall) preventing any communication from the outside to the terminal.
  • an access filtering function typically a personal firewall
  • the nomad terminal during a connection to its distant network (also called “intranet”), can no longer access the machines (equipment) present on the local network to which it is physically connected. In particular, it no longer has access to the printer of its local network since all of the control and data flows are automatically channeled by the blocking tunnel to the remote network of the business.
  • Intranet distant network
  • the objective of the present invention is, in particular, to propose a method enabling the local terminal to address a local apparatus in spite of the concomitant existence of a connection of this terminal to an IPsec gateway through a blocking tunnel, wherein this functionality is obtained without adversely affecting the security provided by the blocking tunnel and without any modification of the local terminal or the local equipment concerned, in particular the printer.
  • the method of the invention which corresponds to the general definition provided in the preamble above, is essentially characterized in that it also includes an operation of sending a flow not intended for said remote network implemented in the gateway and consisting of sending said flow from the terminal intended for an apparatus of the local network to said local equipment.
  • the sending operation can, for example, involve the reception of said flow by a router of the local network, and the directing by said router of said flow to said equipment.
  • the sending operation can also include the analysis by the gateway of the flows so as to recognize a flow not intended for said remote network.
  • the invention in a very specific and detailed definition, can also consist of a method for operating a local computer network in a configuration including, in addition to said local network,
  • a local router located at the interface between the local network and the connection network
  • an IPsec gateway located at the interface between the remote network and the connection network, wherein the local network includes at least one local terminal and a local computer apparatus, and the terminal is connected to the IPsec gateway by an IPsec tunnel in blocking mode, which method allows for automatic rerouting, to the gateway and through the tunnel in blocking mode, of a control and/or data flow from the terminal intended for the local equipment, and therefore including:
  • a sending operation implemented in the gateway and consisting of sending to the local router the control and/or data flow from the terminal, and
  • a directing operation implemented in the local router and consisting of directing to said local equipment the control and/or data flow from the local terminal and sent by the gateway to the local router.
  • the method can also include a correlation operation implemented in the gateway during the establishment of the blocking tunnel and consisting of storing a correspondence table putting the routable address of the local router and the address of the terminal inside the remote network in mutual correspondence, in which the operation of sending the control and/or data flow uses the correspondence table, and consisting of sending to the routable address of the local router the control and/or data flow coming from the terminal identified by the address inside the remote network.
  • the directing operation is preferably implemented by a port translation technique.
  • control and/or data flow can, for example, include a print command.
  • the method can include an additional operation, implemented by the gateway, and consisting of establishing a second IPsec or SSL-type tunnel connecting said gateway to the local router.
  • the operation implemented by the gateway can consist of establishing a second IPsec or SSL-type tunnel connecting said gateway to the local equipment, in this case constituted by a printer.
  • the method of the invention can include an operation implemented by the local router and consisting of reserving for the gateway the access to the local equipment, in this case constituted by a printer.
  • the invention also relates to a software module including instructions that, once this module is loaded on an IPsec gateway, implement at least the correlation operation of the method as defined above, which instruction can also implement the analysis operation and the sending operation of this method.
  • the invention also relates to an IPsec gateway, which is at least partially controlled by a software module as defined above.
  • FIGURE diagrammatically shows the architecture and the means implemented in the invention.
  • FIG. 1 is a schematic view demonstrating a local computer network linked to a remote computer network.
  • the invention relates in particular to a method for operating a local computer network RES_L, for example a home network, in the configuration shown in the FIGURE and including, in addition to this local network RES_L, a remote private computer network RES_D, for example a business “intranet” network, a local router ROUT_L, and an IPsec gateway PASS_D, wherein the local network RES_L itself includes at least one local terminal T_L and a local computer apparatus E_L such as a printer or a server suitable for any type of home service over IP to which the terminal T_L must be capable of continuously accessing, for example ftp, telnet, and so on.
  • a local computer network RES_L for example a home network
  • a remote private computer network RES_D for example a business “intranet” network
  • a local router ROUT_L for example a local router ROUT_L
  • IPsec gateway PASS_D IPsec gateway
  • the T_L terminal is configured with a list of peripherals E_L, such as printers on which it can perform print jobs, and in particular the printer of the local network. It also implements the IPsec protocol in order to connect to the IPsec gateway PASS_D.
  • peripherals E_L such as printers on which it can perform print jobs, and in particular the printer of the local network. It also implements the IPsec protocol in order to connect to the IPsec gateway PASS_D.
  • IPsec software is assumed to function only in blocking mode, and therefore not to authorize split tunneling.
  • the local router ROUT_L which is located at the input of the local network RES_L, performs a plurality of functions, namely:
  • the router ROUT_T translates, during an Internet connection, these internal addresses into the routable address AD — 1, which is the one that this router obtained during its connection to the Internet access provider's network.
  • This translation method is known to a person skilled in the art as NAT/NAPT (Network Address Translation, Network Address Port Translation), [RFC3022]. It consists of maintaining a correspondence table between the pairs: internal IP address, internal port number, and the pairs: external IP address, external port number. For each information packet addressed to the router ROUT_L or transmitted by it, the translation is performed according to this table; and
  • port forwarding a port translation technique (known to a person skilled in the art as “port forwarding”), which consists of statically defining an association between an external port of the router and an internal port of said router, and which enables the machines outside the local network RES_L to access servers inside this local network by querying them about the known port numbers of the router.
  • the IPsec gateway PASS_D which is located between the terminal T_L and the network RES_D of the business, is responsible for terminating the IPsec tunnels from the terminals. It has packet routing functions and is therefore open on the Internet by an interface and on the private network RES_D by another interface.
  • the gateway PASS_D to which, for example, a routable address AD — 2 is assigned, assigns the terminal T_L an address ad — 3 inside the remote network RES_D during the establishment of the IPsec blocking tunnel between said terminal and said gateway.
  • the gateway of the invention comprises a software module MTI which offers the terminal T_L access to the equipment E_L or to the local equipment of the network RES_L, in a way that is specific to the invention, which will be described below in greater detail.
  • the local network RES_L uses a so-called “private” addressing plan, i.e. complying with the standard RFC1918. This in fact corresponds to the default choice of the constructors of home routers ROUT_L; this network implements a DHCP server which assigns IP addresses on a “private” address range.
  • the remote network RES_D for example the business network, does not use the same subnetwork addressing as is used in the home network RES_L. At a minimum, even if such an overlap exists, the ambiguity regarding the solicited network is removed by taking into account the origin of the request.
  • the receiving equipment is a machine of the business network RES_D
  • the receiving equipment is a machine of the local network RES_L.
  • IPsec gateway PASS_D can make this distinction insofar as it knows the two addressing plans and is split between the two networks.
  • the method of the invention is based on the following principles:
  • the IPsec gateway PASS_D is the default router of all of the terminals T_L of the home networks such as RES_L.
  • RES_L the home networks
  • the print order will be systematically sent to the IPsec gateway PASS_D, since a connection cannot be made with the printer E_L due to the tunnel established in blocking mode between the terminal T_L and the gateway PASS_D.
  • This is the normal behavior of an IP stack because the IPsec blocking mode modifies the client's routing table by forcing all of the packets to go to the business network RES_D.
  • the IPsec gateway PASS_D sees the arrival of the IP packets addressed by the terminal T_L to the local equipment E L identified by its internal address ad — 2, it notes that it cannot route them to the business network RES_D. Indeed, in consideration of the hypotheses above, the solicited destination address — 2 does not belong to the network RES_D of the business, or at the very least, a home terminal T_L has no reason to solicit such an address. The gateway PASS_D then deduces that it must send the packets to the home network RES_L.
  • the gateway PASS_D To be capable of rerouting this traffic, the gateway PASS_D, however, needs to know to which home router ROUT_L is must be sent.
  • this information is constructed by the software module MTI, at the time of construction of the IPsec tunnel previously established between the terminal T_L and the IPsec gateway PASS_D.
  • the IPsec gateway PASS_D assigns the terminal T_L an internal address ad — 3 of the business addressing plan.
  • the IPsec gateway PASS_D therefore knows the link between the address ad — 3 of the terminal T_L on the internal addressing plan of the business and the public address AD — 1 of the home router ROUT_L, and the function of the software module MTI is in particular to keep track of this correspondence.
  • IPsec gateway PASS_D receives IP packets from the nomad terminal T_L and must send these packets to the home network RES_L, it knows precisely the public address AD — 1 of the home router ROUT_L.
  • the home router ROUT_L normally implements a port translation mechanism (or “port forwarding”), so that it is capable, when it receives connections from the Internet to a particular port, of translating the address to a local internal apparatus E_L on a particular port number. For example, in this case, all of the packets received from the Internet and on the printing port corresponding to the address ad — 2 can be retransmitted directly to the port of the internal printer E_L.
  • port translation mechanism or “port forwarding”
  • This technique can be used with all existing print protocols, in particular the IPP described below.
  • IPP Internet Protocol
  • the terminal T_L constructs its IPsec tunnel, it participates in an IKE exchange (RFC2409) with the IPsec gateway PASS_D, during which the IPsec gateway receives IP packets of which the source address is the public IP address of the home router ROUT_L, i.e. AD — 1.
  • the IPsec gateway PASS_D assigns the terminal T_L a dynamic IP address, referred to as ad — 3, belonging to the addressing plan of the network RES_D of the business.
  • the IPsec gateway which knows the public address AD — 1 of the router ROUT_L of the local network RES_L, and the address ad — 3 dynamically assigned to the terminal T_L, sends the module MTI a message to update the correspondence table that associates these two addresses.
  • the software module MTI Upon receipt of the message to update the correspondence table with the addresses AD — 1 and ad — 3, the software module MTI updates the table.
  • the terminal T_L When the terminal T_L starts a print job, it chooses, the printer E_L of the local network RES_L as the destination printer, as it would do in a simpler situation where no IPsec tunnel was established.
  • the control and data flow from the terminal T_L intended for the printer E_L is channeled by the tunnel to the IPsec gateway PASS_D.
  • the IPsec gateway PASS_D asks the software module MTI to which home router it is to redirect this traffic. To do this, the gateway PASS_D provides the module MTI with the address of the terminal T_L as it is seen on the network RES_D of the business, i.e. with the address ad — 3 that was assigned to it during the IKE exchange.
  • the module MTI consults the correspondence table and, based on the address ad — 3 of the terminal T_L, deduces the public address AD — 1 of the home router ROUT_L.
  • the IPsec gateway updates its routing table with this new destination and transmits the print order to the home router ROUT_L.
  • the gateway PASS_D thus carries out the relay of all the packets received to the public IP address, i.e. AD — 1, of the home router ROUT_L.
  • the home router redirects it to the printer E_L by means of the port translation mechanism (“port forwarding”).
  • the terminal T_L closes the IPsec session, or when the IPsec gateway PASS_D detects that the terminal T_L is disconnected, it asks the module MTI to delete from its table the entry that corresponds to the terminal T_L and also purges from its routing table the line corresponding to this terminal.
  • the method of the invention makes it possible to eliminate the split tunneling mechanism, while providing the possibility of contacting local machines belonging to the network RES_L of the terminal T_L, in a perfectly secure manner. It does not reduce the security of the network of the business.
  • This method does not require any modification or configuration on the printer E_L, the home router ROUT_L or on the terminal T_L.
  • the flow circulating from the IPsec gateway PASS_D to the home network RES_L can be protected from eavesdropping by an IPsec tunnel established between this gateway and the router ROUT_L.
  • This tunnel is constructed at the instance of the IPsec gateway when it wants to reroute a flow to the home network RES_L.
  • the home router must be configured so as to accept the construction of the tunnel without the user's intervention.
  • the flow circulating from the IPsec gateway PASS_D to the home network RES_L can also be protected from eavesdropping by an SSL tunnel established between the IPsec gateway and the printer E_L, if this printer has the ability to communicate in SSL. This functionality can therefore be advantageously used in this invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
US11/300,107 2004-12-16 2005-12-14 Method for operating a local computer network connected to a remote private network by an IPsec tunnel, software module and IPsec gateway Expired - Fee Related US7869451B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0413413 2004-12-16
FR0413413 2004-12-16

Publications (2)

Publication Number Publication Date
US20060171401A1 US20060171401A1 (en) 2006-08-03
US7869451B2 true US7869451B2 (en) 2011-01-11

Family

ID=34952609

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/300,107 Expired - Fee Related US7869451B2 (en) 2004-12-16 2005-12-14 Method for operating a local computer network connected to a remote private network by an IPsec tunnel, software module and IPsec gateway

Country Status (8)

Country Link
US (1) US7869451B2 (zh)
EP (1) EP1672849B1 (zh)
JP (1) JP4746978B2 (zh)
KR (1) KR20060069345A (zh)
CN (1) CN1801791A (zh)
AT (1) ATE529980T1 (zh)
ES (1) ES2375710T3 (zh)
PL (1) PL1672849T3 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596069C (zh) * 2006-08-15 2010-03-24 中国电信股份有限公司 家庭网关中IPSec安全策略的自动配置系统和方法
US8312123B2 (en) * 2009-11-07 2012-11-13 Harris Technology, Llc Address sharing network
JP6015360B2 (ja) * 2012-11-02 2016-10-26 ブラザー工業株式会社 通信装置および通信プログラム
CN107217964A (zh) * 2017-08-02 2017-09-29 哈尔滨阁韵窗业有限公司 一种防弹铝包木窗
CN114338939A (zh) * 2021-12-21 2022-04-12 广东纬德信息科技股份有限公司 一种安全打印扫描系统

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
US6243379B1 (en) * 1997-04-04 2001-06-05 Ramp Networks, Inc. Connection and packet level multiplexing between network links
US20020010866A1 (en) * 1999-12-16 2002-01-24 Mccullough David J. Method and apparatus for improving peer-to-peer bandwidth between remote networks by combining multiple connections which use arbitrary data paths
US6431772B1 (en) * 2000-04-26 2002-08-13 Hitachi Koki Imaging Solutions, Inc. Broadcast printing system and method
US20020136210A1 (en) * 2001-03-21 2002-09-26 International Business Machines Corporation System and method for virtual private network network address translation propagation over nested connections with coincident local endpoints
US20030182363A1 (en) 2002-03-25 2003-09-25 James Clough Providing private network local resource access to a logically remote device
US6671729B1 (en) * 2000-04-13 2003-12-30 Lockheed Martin Corporation Autonomously established secure and persistent internet connection and autonomously reestablished without user intervention that connection if it lost
US20040071149A1 (en) * 2002-10-12 2004-04-15 Kim Geon-Woo Method and apparatus for transmitting data in a system using network address translation
US20040078600A1 (en) * 2002-07-11 2004-04-22 Nilsen Frode Beckmann Seamless IP mobility across security boundaries
US20040177157A1 (en) 2003-02-13 2004-09-09 Nortel Networks Limited Logical grouping of VPN tunnels
US20040227971A1 (en) * 2003-05-12 2004-11-18 James Clough Systems and methods for accessing a printing service
US20050213574A1 (en) * 2004-03-23 2005-09-29 Naomasa Yoshimura Communication system
US7296155B1 (en) * 2001-06-08 2007-11-13 Cisco Technology, Inc. Process and system providing internet protocol security without secure domain resolution

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001007849A (ja) * 1999-06-18 2001-01-12 Toshiba Corp Mplsパケット処理方法及びmplsパケット処理装置
JP4236364B2 (ja) * 2000-04-04 2009-03-11 富士通株式会社 通信データ中継装置
JP3519696B2 (ja) * 2000-07-18 2004-04-19 アイテイーマネージ株式会社 監視システムおよび監視方法
JP2003244243A (ja) * 2002-02-13 2003-08-29 Seiko Epson Corp フィルタリング機能を有するネットワーク接続装置

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243379B1 (en) * 1997-04-04 2001-06-05 Ramp Networks, Inc. Connection and packet level multiplexing between network links
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
US20020010866A1 (en) * 1999-12-16 2002-01-24 Mccullough David J. Method and apparatus for improving peer-to-peer bandwidth between remote networks by combining multiple connections which use arbitrary data paths
US6671729B1 (en) * 2000-04-13 2003-12-30 Lockheed Martin Corporation Autonomously established secure and persistent internet connection and autonomously reestablished without user intervention that connection if it lost
US6431772B1 (en) * 2000-04-26 2002-08-13 Hitachi Koki Imaging Solutions, Inc. Broadcast printing system and method
US20020136210A1 (en) * 2001-03-21 2002-09-26 International Business Machines Corporation System and method for virtual private network network address translation propagation over nested connections with coincident local endpoints
US7296155B1 (en) * 2001-06-08 2007-11-13 Cisco Technology, Inc. Process and system providing internet protocol security without secure domain resolution
US20030182363A1 (en) 2002-03-25 2003-09-25 James Clough Providing private network local resource access to a logically remote device
US20040078600A1 (en) * 2002-07-11 2004-04-22 Nilsen Frode Beckmann Seamless IP mobility across security boundaries
US20040071149A1 (en) * 2002-10-12 2004-04-15 Kim Geon-Woo Method and apparatus for transmitting data in a system using network address translation
US20040177157A1 (en) 2003-02-13 2004-09-09 Nortel Networks Limited Logical grouping of VPN tunnels
US20040227971A1 (en) * 2003-05-12 2004-11-18 James Clough Systems and methods for accessing a printing service
US20050213574A1 (en) * 2004-03-23 2005-09-29 Naomasa Yoshimura Communication system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Easy Software Products; An Overview of the Common UNIX Printing System, Version 1.1; Jul. 10, 2000.
P. Srisuresh, RFC 2709, Security Model with Tunnel-mode IPsec for NAT Domains Status of this Memo, Oct. 1999. *

Also Published As

Publication number Publication date
JP2006238415A (ja) 2006-09-07
PL1672849T3 (pl) 2012-03-30
JP4746978B2 (ja) 2011-08-10
EP1672849B1 (fr) 2011-10-19
US20060171401A1 (en) 2006-08-03
ATE529980T1 (de) 2011-11-15
CN1801791A (zh) 2006-07-12
EP1672849A1 (fr) 2006-06-21
KR20060069345A (ko) 2006-06-21
ES2375710T3 (es) 2012-03-05

Similar Documents

Publication Publication Date Title
US7131141B1 (en) Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
RU2241252C2 (ru) Шлюз трансляции сетевых адресов для локальных вычислительных сетей, использующих локальные ip-адреса и не транслируемые адреса портов
US7782897B1 (en) Multimedia over internet protocol border controller for network-based virtual private networks
EP1911242B1 (en) Ipsec connection over nat gateway
US8291116B2 (en) Communications system
EP2253123B1 (en) Method and apparatus for communication of data packets between local networks
Davies et al. IPv6 transition/co-existence security considerations
US7574522B2 (en) Communication data relay system
US20070127500A1 (en) System, device, method and software for providing a visitor access to a public network
US8520687B2 (en) Method and apparatus for internet protocol multimedia bearer path optimization through a succession of border gateways
JP2011501624A (ja) 仮想ipアドレスを介してアクセス可能なアドレスを持たないネットワークデバイスにアクセスするための種々の方法および装置
US20050015510A1 (en) Method for implementing transparent gateway or proxy in a network
US11831607B2 (en) Secure private traffic exchange in a unified network service
KR20110062994A (ko) 디엔에스 패킷 변조를 통한 인터넷 접속 경로 우회 유도시스템 및 그 방법
EP1328105B1 (en) Method for sending a packet from a first IPsec client to a second IPsec client through a L2TP tunnel
JPWO2006120751A1 (ja) 発着呼を可能とするピア・ツー・ピア通信方法及びシステム
US7394756B1 (en) Secure hidden route in a data network
US7869451B2 (en) Method for operating a local computer network connected to a remote private network by an IPsec tunnel, software module and IPsec gateway
CN112787940A (zh) 一种多级vpn加密传输方法、系统、设备及存储介质
US20010037384A1 (en) System and method for implementing a virtual backbone on a common network infrastructure
CN115277190B (zh) 一种链路层透明加密系统在网络上实现邻居发现的方法
EP1757061B1 (en) Extensions to filter on ipv6 header
Davies et al. RFC 4942: IPv6 Transition/Co-existence Security Considerations
Richburg Microsoft Windows 2000? Router Configuration Guide
Savola IPv6 Operations E. Davies Internet-Draft Consultant Expires: April 9, 2006 S. Krishnan Ericsson

Legal Events

Date Code Title Description
AS Assignment

Owner name: FRANCE TELECOM, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHARLES, OLIVER;BUTTI, LAURENT;VEYSSET, FRANCK;REEL/FRAME:017258/0105

Effective date: 20060124

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: TRANSPACIFIC IP GROUP LIMITED, CAYMAN ISLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ORANGE;REEL/FRAME:044625/0315

Effective date: 20170921

Owner name: ORANGE, FRANCE

Free format text: CHANGE OF NAME;ASSIGNOR:FRANCE TELECOM;REEL/FRAME:044625/0361

Effective date: 20130702

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: 7.5 YR SURCHARGE - LATE PMT W/IN 6 MO, LARGE ENTITY (ORIGINAL EVENT CODE: M1555); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: ACACIA RESEARCH GROUP LLC, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TRANSPACIFIC IP GROUP LIMITED;REEL/FRAME:051192/0596

Effective date: 20190329

AS Assignment

Owner name: MONARCH NETWORKING SOLUTIONS LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ACACIA RESEARCH GROUP LLC;REEL/FRAME:051238/0718

Effective date: 20191118

AS Assignment

Owner name: STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT, NEW YORK

Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:ACACIA RESEARCH GROUP LLC;AMERICAN VEHICULAR SCIENCES LLC;BONUTTI SKELETAL INNOVATIONS LLC;AND OTHERS;REEL/FRAME:052853/0153

Effective date: 20200604

AS Assignment

Owner name: STINGRAY IP SOLUTIONS LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: PARTHENON UNIFIED MEMORY ARCHITECTURE LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: INNOVATIVE DISPLAY TECHNOLOGIES LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: SUPER INTERCONNECT TECHNOLOGIES LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: TELECONFERENCE SYSTEMS LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: R2 SOLUTIONS LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: AMERICAN VEHICULAR SCIENCES LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: ACACIA RESEARCH GROUP LLC, NEW YORK

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: LIFEPORT SCIENCES LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: CELLULAR COMMUNICATIONS EQUIPMENT LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: SAINT LAWRENCE COMMUNICATIONS LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: NEXUS DISPLAY TECHNOLOGIES LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: UNIFICATION TECHNOLOGIES LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: LIMESTONE MEMORY SYSTEMS LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: MONARCH NETWORKING SOLUTIONS LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: BONUTTI SKELETAL INNOVATIONS LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

Owner name: MOBILE ENHANCEMENT SOLUTIONS LLC, TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP;REEL/FRAME:053654/0254

Effective date: 20200630

AS Assignment

Owner name: STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT, NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNOR NAME PREVIOUSLY RECORDED ON REEL 052853 FRAME 0153. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST GRANTED PURSUANT TO THE PATENT SECURITY AGREEMENT PREVIOUSLY RECORDED;ASSIGNOR:MONARCH NETWORKING SOLUTIONS LLC;REEL/FRAME:055100/0624

Effective date: 20200604

Owner name: MONARCH NETWORKING SOLUTIONS LLC, CALIFORNIA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE NAME PREVIOUSLY RECORDED ON REEL 053654 FRAME 0254. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST GRANTED PURSUANT TO THE PATENT SECURITY AGREEMENT PREVIOUSLYRECORDED;ASSIGNOR:STARBOARD VALUE INTERMEDIATE FUND LP, AS COLLATERAL AGENT;REEL/FRAME:055101/0608

Effective date: 20200630

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20230111